 |
Using Access Control Lists (ACLs) With IFS Directories and Folders
|
U-M Information Technology Central Services * S4111 * January 2004
NOTE: This document is also available in these formats: Microsoft Word | Adobe Acrobat PDF
You can control whether other people can see the folders and documents in your IFS home directory, whether they can make changes to them, and more through the use of Access Control Lists (ACLs). This document tells you how to do that. It also tells you about the pre-set access controls on the folders that are provided for you inside your IFS home directory. For general information about IFS and your home director, see IFS Overview (R1070).
Table of Contents
What Are ACLs?
An ACL is a list of uniqnames and/or protection groups to which access rights have been assigned. (A protection group -- or pts group -- is similar to an e-mail group except that it is used for assigning access rights instead of sending e-mail.) ACLs are set for folders. For example, you might create a folder in your IFS home directory that you want to use for a group project. You could then set ACLs for that folder to allow only your group members to see what is inside it and make changes.
There are seven basic access privileges that can be associated with an ACL and set for a folder. Each is indicated by a one-letter abbreviation.
- lookup (l). If you have lookup access to a folder, you can see -- or "list" -- the names of documents and folders inside it, but you cannot open and read them. A user must have lookup access rights in order to use any other rights. If, for example, you assigned read rights on a folder to a friend but did not assign lookup rights, your friend would not be able to see the documents in the folder and would therefore not be able to select any to open and read.
- insert (i). If you have insert access to a folder, you can add new documents and folders to it.
- delete (d). If you have delete access to a folder, you can delete documents and folders from it.
- admin (a). If you have admin access to a folder, you can change the ACLs for it and the folders inside it. You have admin rights for all folders inside your IFS home directory, but you cannot change the access privileges for your home directory itself.
- read (r). If you have read access to a folder, you can open and read any document inside that folder (assuming, of course, that you have the right application, such as Word or Excel, to open it).
- write (w). If you have write access to a folder, you can make and save changes to any document inside it.
- lock (k). If you have lock access to a folder, you can place read or write limitations on it. This ACL is rarely used. It allows you to lock a folder while you are updating a document inside it so that no other user can alter the document until you release the lock.
There are four combination rights that can be associated with an ACL. These are always spelled out and cannot be abbreviated.
- write. All rights except admin (rlidwk).
- read. Read and lookup rights (rl).
- all. All seven rights (rlidwka).
- none. No rights.
Your Pre-Set Folders
Your IFS home directory comes with some folders already inside it. ACLs have been set for these folders. You can change these ACLs if you wish. You have all access rights to your home directory and all the folders inside it. (Note that if your IFS home directory was created in the early 1990s, your ACLs may be slightly different from those listed below.)
- Public. The ACLs for your Public folder are
system:anyuser rl
<youruniqname> rlidwka
This means that any IFS user in the world can see that you have a Public folder inside your IFS home directory and can read the documents inside it. No one other than you, however, can make changes to, add, or delete documents.
NOTE: Your own uniqname will be substituted for <youruniqname>.
HINT: You can publish your own home page on the web by using your Public folder. Create a folder called html inside your Public folder, and put your web page(s) inside. For more detail, see Create Your Own UM Web Page. Do not change the ACLs on your Public folder if you use it to publish on the Web.
- Shared. The ACLs for your Shared folder are
system:authuser l
<youruniqname> rlidwka
This means that any U-M IFS user can see that you have a Shared folder inside your IFS home directory. No one other than you, however, can make changes to, add, or delete documents.
- Private. The ACLs for your Private folder are
system:anyuser l
<your uniqname> rlidwka
This means that any IFS user can see that you have a Private folder inside your IFS home directory. If they open that folder from a Macintosh computer or a PC and look inside, they will see the names of folders, but will not be able to see the contents. No one other than you can make changes to, add, or delete documents.
- Network Trash Folder. This folder is for Macintosh system use only. Do not delete it, and do not change its ACLs.
Other Folders
If you use Pine for e-mail or trn for Usenet news, other folders (for example, mail and news) may be created for you when you use those programs. It's best to just leave these folders alone; they are for the use of those programs only.
You can create folders inside your home directory and inside the pre-set folders. When you create a folder, it inherits the ACLs of the folder inside which it is created (that is, it inherits the ACLs of its parent folder).
Connect to the Login Service to Check and Set ACLs
To check and set ACLs, you must issue Unix commands. You can do this from the Login Service.
- Use secure software to connect to the Login Service (login.itd.umich.edu).
- At the login prompt, enter your uniqname and press the Return key.
- At the AFS Password prompt, enter your UMICH password and press Return.
Checking ACLs
First connect to the Login Service (see directions above).
Checking ACLs for Your Home Directory
- At the % prompt, enter fs listacl and press return. If you don't specify a directory, your IFS home directory will be checked. Here's a sample of how that might look:
galaga% fs listacl
- The ACLs for your home directory will be displayed:
Access list for . is
Normal rights:
system:anyuser l
<youruniqname> rlidwka
This means that anyone using IFS has lookup rights to your home directory and that you have read, lookup, insert, delete, write, lock, and admin rights to her own home directory. Because system:anyuser does not have read access, no one can read files and documents inside your home directory.
NOTE: "System:anyuser" is a pts group that includes all IFS users. Your own uniqname will be substituted for <youruniqname>.
Checking ACLs for Folders Inside Your Home Directory
To see ACLs for a specific folder inside your home directory, you must specify the folder name when you issue the command to list ACLs.
- At the % prompt, enter fs listacl <foldername> (where you have substituted the actual folder name for <foldername>) and press Return. For example, here is a % prompt followed by the command you would enter to see the ACLs on your Shared folder:
galaga% fs listacl Shared
- The ACLs will be displayed:
Access list for Shared is
Normal rights:
system:anyuser rl
<youruniqname> rlidwka
NOTE: Your own uniqname will be substituted for <youruniqname>.
IMPORTANT! Be sure to get the capitalization exact when you specify a folder name. If you ask for ACLs for a "shared" folder instead of a "Shared" folder, for example, you may get a message saying that the folder doesn't exist.
Checking ACLs on Other IFS Directories
As long as you know the path to an IFS directory or folder, you can find out its ACLs. For example, to see the ACLs for the Software Distribution Directory, enter the following at the % prompt on the Login Service:
fs listacl /afs/umich.edu/group/itd/swdist
HINT: In many cases, you can abbreviate the pathname by using a tilde (~). For example, you can also check the ACLs on the Software Distribution Directory by entering fs listacl ~swdist at the % prompt. And you can see the ACLs for the home directory of anyone at U-M by entering fs listacl ~<uniqname> (where you have substituted the person's uniqname for <uniqname>) at the % prompt. Do not type the angle brackets.
Setting ACLs
First connect to the Login Service (see directions above). Note that you can only set ACLs on folders for which you have admin rights.
HINT: New folders inherit ACLS from the folders in which they are created. If you create a folder in the Shared folder inside your IFS home directory, for example, it automatically gets the same ACLs as your Shared folder. However, if you later change the ACLs of your Shared folder, the ACLs of the folders inside will not automatically change to match.
TIP: If you find yourself needing to set ACLs on a folder to more than three or four people, consider using a protection (pts) group. A pts group is a lot like an e-mail group, except that it is a list of uniqnames rather than a list of e-mail addresses. You can use pts groups to give access rights to groups of people. This can be especially helpful if members of the group to which you want to grant access changes over time. See Creating and Administering Protection (pts) Groups (S4033) for how to create a pts group. You then use the pts group name instead of individual uniqnames when setting ACLs.
Giving People Access Rights
You issue the fs setacl command at the % prompt to set ACLs. Here's how you indicate which folder, to whom you want to give access, and which rights:
For example, if you want to give Barbara Jensen (a fictitious person whose uniqname is bjensen) full access to the files in a folder called labwork inside your home directory, you would enter the following at the % prompt on the Login Service:
fs setacl labwork bjensen write
After entering the command and pressing Return, you will be returned to the % prompt. You can check the change by entering fs listacl labwork at the % prompt.
If you are setting ACLs for a folder outside your home directory, list the full path instead of just the folder name (for example, list /afs/umich.edu/user/b/j/bjensen/ instead of bjensen).
Taking Away Access Rights
To remove access rights, set the ACLs to that person (or group) to none.
For example, to take away Barbara Jensen's access rights to the labwork folder in your home directory, enter the following at the % prompt:
fs setacl labwork bjensen none
Denying Access Rights to Particular People in a Group
You may want to grant access rights to all the members of a pts group except one or two individuals. You do this by first setting ACLs to grant the appropriate rights to the pts group (for example,
fs setacl <folder> <pts group name> read), then setting negative ACLs for the one or two individuals. This example shows how to set negative ACLs denying Barbara Jensen access to a folder:
fs setacl -negative <folder> bjensen all
If you change your mind and want to restore access, you would, issue the following command to remove the negative rights:
fs setacl -negative <folder> bjensen none
Additional Resources
Visit ITCS's
Information System to obtain ITCS computer documentation
and other resources. A list of relevant documents follows:
We welcome your comments; please send e-mail.
ITCS's Online Help Desk provides a variety of computing help resources.
For further help with IFS, send e-mail or phone (734) 764-HELP.
Appendix: Changing ACLs on Many Folders at Once (Advanced)
It is possible to set ACLs on all the folders inside a particular folder with just one command. However, we recommend you not try this unless you are comfortable using Unix and confident in your ability to enter everything correctly.
To change ACLs on all the folders inside a given folder, issue the following command at the % prompt:
find <folder> -type d -exec fs sa {} <uniqname or pts group> <permissions> \;
Make the following substitutions, and do not type the angle brackets:
|
<folder>
|
Enter the name of the folder (or directory) within which
you want to change all the ACLs.
|
|
<uniqname or pts
group>
|
Enter the uniqname or pts group name for which you want
to set ACLs.
|
|
<permissions>
|
Enter the access rights you want to set.
|